• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Malware
  • Simplocker, the first Android File-Encrypting Ransomware

Simplocker, the first Android File-Encrypting Ransomware

Pierluigi Paganini June 05, 2014

Security experts at ESET discovered and analyzed the first Android File-Encrypting ransomware dubbed Simplocker with C&C hosted on TOR.

Ransomware is  not a prerogative of desktop computers, cyber criminals are targeting also mobile platforms, recently it has been discovered the first mobile trojan able to encrypt victim’s data on Android by ESET security firm.

Cyber criminals have already adopted an extortion scheme for Android OS, last year security experts at Symantec detected a malicious application, calling itself Android Defender, that pretending to be a mobile AV was blocking the mobile screen.

This week, malware analysts at ESET announced to have detected a new Android trojan, dubbed Android/ Simplocker, that once infected the mobile device scans the SD card for certain file types (e.g. jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4), encrypts them with AES, and demands a ransom in order to decrypt the files.

The sample of Simplocker ransomware analyzed by the specialists at ESET is in the form of an application called ‘Sex xionix’, the bad news is that it was available on the official Google Play.

In the following image is proposed the message displayed by Android/ Simplocker just after its execution, in this phase a separate thread in the background is launched by the ransomware to encrypt the file.

Android Simplocker Malware

The ransom message is written in Russian and its translation looks like:

“WARNING your phone is locked! The device is locked for viewing and distribution child pornography , zoophilia and other perversions. To unlock you need to pay 260 UAH. 1. Locate the nearest payment kiosk. 2. Select MoneXy 3. Enter {REDACTED}. 4. Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt! After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

The experts highlight that the payment demanded is in Ukrainian hryvnias, this means that the instance of ransomware is designed to target users in this region. The Russia, including ex states of the old Soviet Union, is a very prolific for cyber criminals activities, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from these countries.

To make hard the payment tracking the criminals have chosen the MoneXy service, the ransom request is 260 UAH (16 EUR).

 

Android Simplocker Malware 2

 

The Android/ Simplocker.  also contacts the C&C server and send device information (e.g. IMEI, model, OS version), once again the author of the malware demonstrated attention to the details, improving anonymity of control infrastructure hosting it in Tor network.

Android Simplocker Malware Tor

ESET experts believe that to the C&C is also assigned the task to verify the payment reception to return the decrypted file to victims:

“As you may notice on the nag-screen above, there is no input field for a payment-confirming code of any kind, as we’ve seen in earlier examples of Windows ransomware. Instead, the malware listens to its C&C server for a command – probably issued after payment is received – to decrypt the files.” states the blog post issued by ESET.

Analysts suspect that the version of Android/ Simplock. A analyzed it a proof-of-concept or a work in progress, the malware is capable of encrypting the user’s files, but data may be lost if the encryption key is not retrieved.

As usual, it is suggested to the victims to report to law enforcement in case of infection, avoiding to pay the ransom.

“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.” states ESET.

To protect yourself from ransomware never open email attachments from unknown sources and backup your data periodically.

Pierluigi Paganini

(Security Affairs –  Simplock, ransomware)


facebook linkedin twitter

Android Cryptolocker extortion mobile ransomware Simplocker Tor

you might also like

Pierluigi Paganini July 24, 2025
Coyote malware is first-ever malware abusing Windows UI Automation
Read more
Pierluigi Paganini July 24, 2025
Stealth backdoor found in WordPress mu-Plugins folder
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

    Security / July 24, 2025

    DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

    Security / July 24, 2025

    Stealth backdoor found in WordPress mu-Plugins folder

    Malware / July 24, 2025

    U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT